PSD2: Taking advantage of open-banking disruption

The second Payment Services Directive (PSD2) is part of a global trend in bank regulation emphasizing security, innovation, and market competition. By requiring banks to provide other qualified payment-service providers (PSPs) connectivity to access customer account data and to initiate payments, PSD2 represents a significant step toward commoditization in the EU banking sector.

Our recent survey of bank executives shows that most are alert to the threat and are exploring innovative and potentially lucrative business opportunities opened up by PSD2. However, banks need to act promptly to chart a precise business strategy and gain a fast-mover advantage. While PSD2 is a European initiative, it provides an example for other markets such as China and the United States that are taking gradual steps toward open banking. As part of a continuing series on global trends toward open banking, this article reports on banks’ progress toward PSD2 compliance and their preparation to compete for new retail and corporate business opportunities.

PSD2 in the context of market disruption

Several global trends pose serious challenges to established bank and nonbank payments organizations. Technology innovations (for example, digital payments and cloud-based applications) are lifting customer expectations for both convenience and security. Upgrades in infrastructures are making faster payments an increasingly common offering, while also facilitating the convergence of cards, e-wallets, and other payments types. Attacks from fintechs and digital-ecosystem owners are exerting additional downward pressure on pricing. Due in part to persistently low interest rates and the cap on interchange fees, challenging payments economics are thus combining with other disruptive forces to reshape the global payments industry. The potential impacts of PSD2 and other regulatory changes promoting innovation and competition should be understood within this context.

Competition for customer touchpoints and secure access to customer data is fiercer than ever, spurring organizations in diverse industries (such as media, telecommunications, digital technology, and banking) to form partnerships that strengthen their position as orchestrators. For banks and nonbanks alike, this means thinking not only of transactions and liquidity management, but looking broadly at customer journeys. For retail customers, this might include services supporting buying decisions; for corporates, this could mean an integrated view of supply-chain management.

What PSD2 requires and when

PSD2 requires banks to grant qualified third parties automated access to customer transaction accounts, covering both retail and corporate customers.¹ 1.Certain corporate-account and transaction-management functions, such as data exchange using the Electronic Banking Internet Communication Standard, will not change with implementation of PSD2. By enabling fintechs, large technology firms, other banks, and even certain retail organizations to go head-to-head with banks as PSPs, PSD2 aims to provide lower costs and higher security for consumers and to afford merchants greater flexibility to differentiate customer experiences, including payments.

The complex regulatory architecture of PSD2 comprises issues ranging from transparency in pricing to security, incident reporting, and technology. As a set of principles, the directive gives national governments considerable leeway in crafting precise legal requirements and standards. The broad architecture of the directive can be summarized according to three pillars: Pillar 1 concerns transparency, including stronger customer rights and stricter reporting standards for banks, as well as increased transparency in pricing. It is important to note that pricing must be nondiscriminatory, meaning that charges for account access and payments initiation must be the same for end customers and third parties. Pillar 1 also enlarges the scope of the directive to include transactions where at least one party is located in the European Economic Area. Pillar 2 concerns security, including requirements for strong customer authentication (SCA). Pillar 3, which covers access to accounts, includes the technological standards by which financial institutions—referred to as account-servicing payment-service providers—must allow other PSPs to connect with their systems to access account information and initiate payments on behalf of customers. These standards also require banks to provide a protected “sandbox” to PSPs for testing and ongoing development of services that use the bank’s interface.

Compliance with PSD2 is required in two phases (Exhibit 1). Pillar I (transparency) became effective upon the directive’s transposition into national law on January 13, 2018. The anticipated implementation date for Pillars 2 and 3 is the third quarter of 2019, 18 months after the official publication of the final regulatory technical standards on SCA, which is expected in February 2018.

Challenges and opportunities for banks

Once the new transparency standards are implemented, competition on pricing will likely intensify. And, as technologically agile PSPs begin leveraging automated access to customer accounts with the implementation of Pillar 3, the squeeze on both pricing and margins will almost certainly tighten further. Indeed, our recent survey of regional and domestic banks shows that increased pressure on pricing and margins is a top concern for bank executives as they plan for the implementation of PSD2.² 2.In June, July, and September of 2017, McKinsey surveyed about 20 banks (nearly half of them regional banks, half of them domestic) across Europe about their preparation for the implementation of PSD2. Data were collected through a written survey of 17 questions and executive interviews. Responses are reported as aggregate data.

In particular, account-to-account (A2A) payments alternatives will pose a serious threat to card issuing and acquiring businesses, not only on pricing but potentially on speed as well, if combined with the SEPA Instant Credit Transfer (SCT Inst) scheme. If third parties leverage speed, pricing, and benefits (such as loyalty programs for consumers and improved liquidity and customer analytics for businesses), they may well take control of customer experiences, depriving banks of cross-selling opportunities both among retail consumers and corporate clients. In a large European market, the threat posed by new service providers offering A2A solutions could potentially place €50 million to €100 million of bank revenues at risk.

While PSD2 poses serious threats to current business models, it also creates opportunities for banks to compete as technology innovators, wielding powerful analytical tools to extract valuable insights from their vast stores of proprietary data. Market dynamics and customer attitudes may favor banks that can capture opportunities quickly and effectively. If third parties do not gain the full trust of customers, banks could retain their role as trusted financial anchor, as customers would not find it attractive to provide third parties access to their data or accounts (unless recommended by banks). But there are no guarantees that banks will be able to defend their status as secure trusted advisors. In the worst-case scenario, closed-loop ecosystems could emerge and reduce banks to the role of balance-sheet provider. Customer interactions would be reduced significantly, with current account transactions limited primarily to incoming salary deposits and outgoing payments to fund transaction accounts at another PSP. Third parties would handle all transactions and accumulate the associated customer data (Exhibit 2).

Challengers on all sides

The implementation of PSD2 will bring winners and losers, with banks facing strong attacks from new nonbank PSPs. Agile organizations with capital to invest in innovative solutions and new business models stand a better chance of countering these challenges successfully. The executives participating in our survey hold diverse views on the type of organization most likely to benefit from PSD2. Some expect that fintech innovators and small and medium-size “attacker banks” are better placed to move fast and disrupt the payments market. Others expect that large banks will benefit most from PSD2 implementation (Exhibit 3).

To sustain strong returns under PSD2, a smaller bank might attack with an integrated payments-and-financial-management solution, while a large incumbent might build its own ecosystem, offering access to a broad selection of applications from diverse providers. In either approach, banks must design highly efficient, scalable technology architecture to support innovative solutions. If they strike the right balance of financial-asset management and data-asset augmentation, they have the potential to boost revenue, strengthen margins, and increase market share.

Investing to lead PSD2 disruption

The fundamental technology requirement for mandatory compliance is an interface (for example, an open application programming interface (API)) allowing account-information service providers (AISPs) and payment-initiation service providers (PISPs) access to client account and transaction information.³ 3.Banks must provide system access to diverse client-facing AISPs and PISPs, enabling them to seamlessly access bank account systems via an open interface to verify availability of funds, block funds, initiate transactions, and conduct transaction-risk analysis. Some existing standards, such as EBICS, are already compliant. Most of the banks we surveyed reported that they were on track to comply fully with directive.

Most banks report that they do not expect security to become a problem under PSD2; however, they also recognize that they must invest in fraud management. Banks are responsible for mitigating fraud risk and will need to implement advanced controls, including advanced analytics (for example, to validate the origin of inbound calls to the API) and strong tools to detect fraud attacks. The survey respondents indicated that the risk of fraud arising from third-party access to accounts is a serious concern and that fraud prevention is a top priority.

Most of the banks surveyed are looking beyond compliance toward new business opportunities. Several are aiming high and investing to lead the PSD2 revolution. Indeed, many executives report that they view PSD2 compliance as part of a broad digital transformation. In addition to implementing the API interfaces necessary to support PSP connectivity, most banks are using the implementation of PSD2 to build new processes, acquire new skill sets, and realign the organizational structure around data collection and analysis.

Survey results also show that most regional banks are crafting strategies for capturing new revenue and extending market share with innovative, data-intensive use cases for both retail and corporate clients. On the corporate side, executives consider multi-account management, transaction management, and cash management/cash pooling as the use cases with the highest potential impact. As an indication of how far these development efforts have advanced, nearly 40 percent of the banks surveyed report that they have also selected technology partners to deliver new offerings under PSD2 (Exhibit 4).

Retail and corporate business opportunities: Banker views

In retail and corporate payments alike, the biggest opportunities combine capabilities associated with PSD2 (data aggregation and A2A transactions) with improvements in settlement and clearing infrastructures, including faster payments. In both retail and corporate environments, payments and finance use cases will increasingly be embedded within digital applications that address the full value chain (Exhibit 5).

In consumer-to-business payments, several banks are developing A2A solutions for in-store and e-commerce transactions, bill payments, and tax payments. Banks should design the A2A platform to accommodate faster payments (as the European Payments Council’s SEPA Instant Credit Transfer scheme goes live), and the business-case justification should consider the likely cannibalization of card revenues as merchants adopt the lower-cost A2A model.

On the corporate side, most bank executives expect use cases in multi-account management and cash management to have the biggest impact on client operations (although some markets already have such services available). Leveraging A2A solutions potentially in conjunction with faster payments, a bank could help small and medium-size enterprises (SMEs) and midsize corporates in particular to streamline B2B payments, improving working-capital management with integrated payables and receivables. PSD2 also opens the way for new use cases in cash pooling and foreign exchange across multiple banks. Large corporates will most likely continue to use their current cash-management solutions, as these services already embed advanced features that would require long development times under the PSD2 framework. Developing a state-of-the-art cash-management solution tailored for SMEs and midsize corporates could generate €15 million to €30 million in additional revenue for a leading European bank (depending on the bank’s customer base). In this context, incumbents will probably have a competitive advantage over regional banks (given their current operations and client franchise); however, fintechs could gain market share by developing solutions for specific verticals.

Another potentially high-impact opportunity among corporate clients is to optimize the use of internal data for risk scoring and cross-selling. Several banks in our survey group already aggregate data from other institutions where their retail customers hold accounts, providing a sound foundation for broadening the scope of their digital offering.

On the retail side, lifestyle apps would likely integrate consumer budgeting tools, consumer finance, mortgages, insurance, and investments. This solution involves a much broader functional scope than banks typically offer, spanning the full customer shopping journey and drawing on data from diverse sources, such as social media, Internet, and in-store searches. Half of the banks we surveyed view “lifestyle apps” as the most important retail use case arising from PSD2.

By consolidating customer data from diverse sources across the enterprise (in keeping with the EU’s General Data Protection Regulation), banks can generate a 360-degree view of customer interactions. With customer permission, this view could be expanded to include transactions and account information at other institutions. Insights could trigger finely tailored cross-selling offers and support highly precise risk scoring for more competitive pricing of loans and reduction in risk costs. The primary measure of success would be the incremental increase in the bank’s share of the client’s transaction-banking wallet.

The use cases described above can be integrated with diverse applications in an open digital platform supporting an ecosystem of providers and end users. The diversity of use cases available on the platform both enhances the ecosystem’s ability to attract users and increases the number of touchpoints and interactions. These interactions not only generate revenue, but also data, which can in turn be used to personalize services and to develop new solutions for adjacent use cases. For example, Alipay, which originally developed as a way for buyers and sellers to transact business on Alibaba’s e-commerce marketplaces, generates extra liquidity that users can invest in an online money-market fund, Yu’e Bao. Alibaba and its financial-services affiliate, Ant Financial, also use the vast data generated by users on its e-commerce marketplaces to rate the creditworthiness of users and extend loans to consumers and the small and medium-size businesses that trade on its platform.

The functional breadth of applications delivered and accessed through the platform depends on the core value proposition of the ecosystem. In the case of Alipay, the ecosystem has developed around Alibaba’s platform for retail and wholesale e-commerce. In other cases, the ecosystem may be more focused on financial services, or it may meet the procurement and financing needs of companies in a particular vertical.

Recommendations

Banks should look broadly at the evolution of customer journeys (in both retail and corporate environments) and at the changes in how participants interact in diverse ecosystems. What value is at risk? Which pieces of the value chain must the bank support to increase value under PSD2? No bank can deliver all use cases to all customer segments. Depending on the markets they serve, some banks will emphasize consumer-oriented “lifestyle” use cases, and others will focus on new use cases for corporate clients. Staying focused on the markets and use cases where they can beat the competition on a sustained basis, banks should follow the steps below as they build a strategy for PSD2:

• Define the bank’s ambition, and be prepared either to lead or to execute a fast-follower approach. It is critical to establish a mechanism to identify, test, and, if successful, scale up use cases faster than the competition.
• Conduct a comprehensive use-case evaluation. Banks should weigh carefully the strategic impact of potential business opportunities arising from PSD2. What is the potential of each use case to augment customer touchpoints and data stores, increase revenue, and expand market share? In addition to gains and losses in revenue and the cost of technology upgrades, the use case should also consider the necessary changes in bank culture and talent pool.
• Evaluate the potential of data (and customer touchpoints) as a core asset. Recognizing the potential to apply advanced analytics to internal data reserves to enhance fraud detection, customer relationship management, and credit scoring, several banks are already leveraging existing customer data to jump ahead of the competition. Over the next 18 months, banks should act aggressively to optimize the use of proprietary data, particularly for cross-selling and loan pricing, in retail as well as corporate banking.
• Consider building a finance-based ecosystem or leveraging an existing one. While requiring significant management attention and potentially capital investments as well, ecosystems offer the opportunity to co-opt some third-party organizations, retain customer touchpoints, generate additional data on customers, increase pricing power, and tap new sources of revenue. Developing an ecosystem strategy is particularly relevant for larger, primarily branch-based incumbents.
• Define the groupwide strategy for opening up under API banking. Banks should assess the IT implications of PSD2 both for transaction platforms and groupwide systems and architecture. Winning under PSD2 is not simply a matter of maintaining connectivity for account queries and transaction initiation, but also seizing the opportunity to reduce costs and improve response times by streamlining the IT architecture, from account servicing to groupwide data management. IT design should be flexible to accommodate fast-evolving fraud controls and regulatory standards.
• Identify potential technology partners. How can a bank attract the right PSPs to their solutions-development “sandbox”? Banks should leverage the strengths of fintech innovators, established technology providers, and even other banks that can deliver flexible technology solutions for customer use cases to support continual innovation.

---

Building selectively on existing market solutions, PSD2 consists primarily of a set of principles and generally avoids concrete prescriptions. It is thus very clear about the what, but uncertain about the how and to what end. While there is considerable uncertainty about both the gravity and timing of the threats to emerge under the PSD2, the new regulation opens highly attractive opportunities for established payments organizations. But to win, banks will need to capture this disruption and turn it to their advantage.